FISMA guidance nearly complete

By William Jackson

Oct 26, 2005

The National Institute of Standards and Technology is nearly finished developing guidance documents for compliance with the Federal Information Security Management Act.

'Special Publication 800-53A is the last of the guidelines we will be providing," said Pat Toth of NIST's computer security division. Toth updated attendees on NIST's work at the Federal Information Assurance Conference at the University of Maryland today.

The publication, titled 'Guide for Assessing Security Controls in Federal Information Systems,' was released for comment in July. A second draft is expected to be released in March 2006.

NIST expects to complete its final FISMA standard, FIPS 200, which governs selection of security controls for information systems, in January or February 2006.

NIST was required to produce standards and implementation guidance for FISMA. The agency's next step will be to begin certification of agencies to perform security assessments for government IT systems.

NIST's work on FISMA guidance was divided into two areas: Federal Information Processing Standards and guidance published in the 800 series of Special Publications. Compliance with both guidelines and standards is mandatory. Technology-specific requirements are included in guidelines rather than standards because they can be more easily updated.

SP800-53A is intended to standardize security assessment practices across government, so they can produce consistent, comparable and repeatable results. This will enable trust relationships between organizations.

"Before you enter into any kind of relationship, it is critical to know where [organizations] stand in regard to security," Toth said.

The public comment period on SP800-53A ended Aug. 31. "We are going through the comments now," Toth said. "We may not have satisfied anyone, so we're probably on the right track." Concerns expressed about the guidelines included that they are too high-level and are not specific enough for implementation, according to Toth.

One change that will definitely be made in the second draft of the publication will be its expanded scope. The first draft covered assessment of only five of the 12 security control areas identified in SP800-53.

"They were the five we felt we could adequately address within the time frame for getting it released," Toth said. 'It was felt those areas would address the bulk of agencies' concerns. They were a good starting point."